[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN108229172A - Astride hierarchy data flow method for tracing based on windows platforms - Google Patents

Astride hierarchy data flow method for tracing based on windows platforms Download PDF

Info

Publication number
CN108229172A
CN108229172A CN201810148627.XA CN201810148627A CN108229172A CN 108229172 A CN108229172 A CN 108229172A CN 201810148627 A CN201810148627 A CN 201810148627A CN 108229172 A CN108229172 A CN 108229172A
Authority
CN
China
Prior art keywords
data
monitored
program
user space
analyzed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810148627.XA
Other languages
Chinese (zh)
Inventor
韩志辉
吕志泉
张帅
严寒冰
丁丽
李佳
李志辉
张腾
温森浩
陈阳
王适文
姚力
朱芸茜
徐剑
雷君
王小群
肖崇蕙
贾子骁
马莉雅
高川
周昊
周彧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN201810148627.XA priority Critical patent/CN108229172A/en
Publication of CN108229172A publication Critical patent/CN108229172A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to a kind of astride hierarchy data flow method for tracing based on windows platforms, and the API information for carrying out data exchange is used between windows operating system nucleus state and User space including obtaining;Program to be analyzed is run, performs the instruction of program to be analyzed;Process in traversing operation system obtains the process consistent with program process title to be analyzed, labeled as monitoring process;Generated data markers when performing monitoring process are monitored data for User space;During the routine call API to be analyzed, if corresponding input parameter is monitored data for the User space, the kernel data mapped after input is monitored data labeled as kernel state;The data that are monitored to User space and kernel state be monitored data carry out data flow follow-up analysis, so as to judge whether program to be analyzed has malicious act.The present invention can analyze while have user mode codes and a rogue program of kernel state code, can completely the processing procedure of monitoring data in a program, accuracy are high.

Description

Astride hierarchy data flow method for tracing based on windows platforms
Technical field
The present invention relates to technical field of network security more particularly to a kind of astride hierarchy data flows based on windows platforms Method for tracing.
Background technology
Windows systems are the operating system of current main-stream, due to the complexity of software and the deficiency of the sense of security of users, Malicious code using Floor layer Technology or the software with vicious function are largely propagated, caused by destroy getting worse.It is main at present It to be analyzed using data flow method for tracing for these softwares, but traditional data flow is usually just in individual user State or individual kernel state, it is difficult to track the information transmitted across User space and kernel state tracking.Windows systems include interior Two core state, User space levels, existing windows platform dataflow analysis method be typically based on PinGrind, TEMU, Panda, The platforms such as DECAF carry out data flow tracking using windows platform tainting analytical technology.Wherein, tainting analysis skill Art generally includes two methods:Method 1. uses debugger, is attached in program, extracts and analyze data flow, method 2. is built Virtual machine analyzes data flow by monitoring physical memory.
PinGrind platforms carry out data-flow analysis using method 1, and only user mode codes are monitored, specifically, User's layer analysis data flow, is attached to using debugger on target process, and each binary code that monitoring programme performs refers to It enables, the operation content of analysis instruction carries out the data-flow analysis of the specific methods such as tainting to it.The data flow point of client layer The instruction of more complete monitoring process execution is capable of in analysis, but the analysis method is lost the original language of inner nuclear layer behavior program Justice also has ignored the analysis to client layer and inner nuclear layer communication interface, thus the data based on debugger analysis striding course flow through Cheng Shifen is difficult.
The platforms such as TEMU, PANDA, DECAF carry out data-flow analysis using method 2, to User space and kernel state without It distinguishes, the data mixing got brings interference together, to post analysis.It is specifically, monitoring objective setting position is entirely empty The physical memory of plan machine does not differentiate between the communication process between User space program and kernel state program, it is carried out based on this method Data flow is tracked, and data volume is big and analysis difficulty.
It follows that Windows system data flow follow-up analysis method includes at least following shortcoming at present:
(1) analysis method based on virtual machine is used, effective monitoring and user mode codes and kernel state code can not be distinguished Between information exchange and the data flow process in different levels;
(2) using based on the additional dataflow analysis method of debugger, can not effective analysis kernel state Program Semantics, together Sample also has ignored the data exchanged between two levels.
However, malicious code performs the execution body of body and kernel state comprising User space simultaneously in many cases existing, Therebetween information is mutually transmitted, therefore, existing data flow method for tracing is difficult realization that is accurate, stablizing to such malice generation The Analysis on Mechanism of code, therefore how to realize that the astride hierarchy data flow tracking based on windows platforms becomes technology urgently to be resolved hurrily Problem.
Invention content
The technical problems to be solved by the invention are, provide a kind of astride hierarchy data flow based on windows platforms and chase after Track method virtualizes analysis environments, monitoring data Fabric Interface and instruction by structure, realizes the gamut of cross-layer data exchange Monitoring and differentiation.
In order to solve the above technical problem, the present invention provides a kind of astride hierarchy data flows based on windows platforms to chase after Track method, it is described to include the following steps:
It obtains and the API information for carrying out data exchange is used between windows operating system nucleus state and User space;
Program to be analyzed is run, performs the instruction of the program to be analyzed;
Traverse the process in the windows operating systems, obtain it is consistent with the program process title to be analyzed into Journey, labeled as monitoring process;
Generated data markers are monitored data for User space when will perform the monitoring process;
It is used between kernel state and User space described in the routine call to be analyzed during the API for carrying out data exchange, If corresponding input parameter is monitored data for the User space, the User space is monitored after data input in mapping Nuclear Data is monitored data labeled as kernel state;
The data that are monitored to the User space and kernel state be monitored data carry out data flow follow-up analysis, so as to judge State whether program to be analyzed has malicious act.
Further, it is used to carry out data exchange between the acquisition windows operating system nucleus state and User space API information includes the following steps:
The virtual machine image of windows operating systems is installed;
Kernel executable program and driver are obtained according to the virtual machine image of the windows operating systems;
It is obtained according to the kernel executable program and driver and is used to carry out data friendship between User space and kernel state The API information changed.
Further, include between the kernel state and User space for carrying out the API information of data exchange:The kernel It is used to carry out call address, input parameter, output parameter and the return value of the API of data exchange between state and User space.
Further, the operation program to be analyzed, the instruction for performing the program to be analyzed include the following steps:
Start the virtual machine image of the windows operating systems using hardware simulator;
Program to be analyzed is run in the windows operating systems;
CPU performs the instruction of the program to be analyzed.
Further, the process in the windows operating systems includes performing the instruction generation of the program to be analyzed Process record the process and perform other programs in addition to the program to be analyzed in the windows operating systems The process record the process that is generated of instruction.
Further, it is described to be monitored data to the User space and the kernel state data that are monitored carry out data flow tracking point Analysis includes the following steps:
The User space is obtained to be monitored the stain related datas of data;
The kernel state is obtained to be monitored the stain related datas of data;
The stain related data of data that is monitored to the User space and the kernel state are monitored the stains of data Related data carries out data flow follow-up analysis.
Further, the stain related data for the data that are monitored using tainting analysis method to the User space The stain related data progress data flow follow-up analysis for the data that are monitored with the kernel state.
Further, the method further includes, if the User space is monitored the stain related data of data and/or The be monitored stain related data network AP I that is called of data of the kernel state is sent to remote address, then judge described in treat point Analysis program has malicious act.
Further, the method further includes, and sets to record in the Protozoic code layer of the windows operating systems The data structure of monitored data.
Further, the User space data that are monitored include:The program execution reading registration table to be analyzed, reading are clear Look at device cookie information, read system configuration, read application program chat data, one kind into network address transmission data or The corresponding returned data of operation.
According to another aspect of the invention, a kind of controller is provided, including memory and processor, the memory storage There is the step of computer program, described program can realize the method when being performed by the processor.
According to another aspect of the invention, a kind of computer readable storage medium is provided, it is described for storing computer instruction The step of instruction realizes the method when being performed by a computer or processor.
The present invention has clear advantage and advantageous effect compared with prior art.By above-mentioned technical proposal, the present invention A kind of astride hierarchy data flow method for tracing based on windows platforms can reach comparable technological progress and practicability, and have There is the extensive utility value in industry, at least there are following advantages:
The present invention can monitor User space, kernel state and carry out cross-layer number by the API between family state and kernel state According to communication process, thus it can analyze while there are user mode codes and the rogue program of kernel state code, can completely supervise The processing procedure of data in a program is controlled, there is higher accuracy and better analysis ability.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow the above and other objects, features and advantages of the present invention can It is clearer and more comprehensible, special below to lift preferred embodiment, and coordinate attached drawing, detailed description are as follows.
Description of the drawings
Fig. 1 provides the astride hierarchy data flow method for tracing schematic diagram based on windows platforms for one embodiment of the invention.
Specific embodiment
The technological means and effect taken further to illustrate the present invention to reach predetermined goal of the invention, below in conjunction with Attached drawing and preferred embodiment, to a kind of astride hierarchy data flow method for tracing based on windows platforms proposed according to the present invention Specific embodiment and its effect, be described in detail as after.
The embodiment of the present invention provides a kind of astride hierarchy data flow method for tracing based on windows platforms, as shown in Figure 1, It is described to include the following steps:
Step S1, the API for being used to carry out data exchange between windows operating system nucleus state and User space is obtained (Application Program Interface application programming interfaces) information;
Step S1 includes the following steps:
Step S11, the virtual machine image of windows operating systems is installed;
Step S12, kernel executable program and driving journey are obtained according to the virtual machine image of the windows operating systems Sequence;
As an example, kernel executable program is including ntoskrnl.exe, win32k.sys etc..
Step S13, obtained according to the kernel executable program and driver be used between User space and kernel state into The API information of row data exchange.
It is used to carry out data friendship between User space and kernel state as an example, kernel executable program and driver obtain The API changed is including DeviceIoControl, NtReadFile, NtWriteFile etc..
Wherein, include between the kernel state and User space for carrying out the API information of data exchange:The kernel state and It is used to carry out call address, input parameter, output parameter and the return value of the API of data exchange between User space.
When being called between User space and kernel state for carrying out the API of data exchange, if incoming parameter is to be supervised The data flow of control, then the content that the parameter is mapped to kernel or user's space is also labeled as monitored data, after progress Continuous data flow trace analysis.
Step S2, program to be analyzed is run, performs the instruction of the program to be analyzed;
Step S2 includes the following steps:
Step S21, start the virtual machine image of the windows operating systems using hardware simulator;
Specifically, configuration mirroring path obtains the windows operating system mirror images position of actual motion;Configuration is hard Emulated memory size, system start-up time and the type for simulating CPU of part simulator.After the initialization for completing virtual memory, firmly Part simulator loads above-mentioned windows operating systems mirror image, and starts windows operating systems.
As a kind of example, hardware simulator can be Qemu, including process monitoring module, instruction monitoring module, system Monitoring module etc. is called, for carrying out process monitoring, instruction monitoring and System-call Monitoring etc..
Step S22, program to be analyzed is run in the windows operating systems;
Step S23, CPU performs the instruction of the program to be analyzed.
Step S3, the process in the windows operating systems is traversed, is obtained and the program process title one to be analyzed The process of cause, labeled as monitoring process;
Wherein, the process in the windows operating systems include performing the instruction generation of the program to be analyzed into Journey record the process and the finger for performing other programs in addition to the program to be analyzed in the windows operating systems Enable generated process record the process.
Each process in Windows kernels by an EPROCESS block (EPROCESS represents a kind of data structure) Lai It represents, not only contains the information such as the PID (identity), load address, process title of process in EPROCESS blocks, further include Multiple pointers for being directed toward other dependency structure data structures.In practical implementation procedure, in Windows operating system EPROCESS states are constantly checked, if finding new EPROCESS occur in chained list, analyze process name therein, if Process name is consistent with the process title of program to be analyzed, then labeled as monitoring process, monitors all performed by the monitoring process Instruction.
Generated data markers are monitored data for User space when step S4, will perform the monitoring process;
Wherein, the User space data that are monitored include:The program to be analyzed, which performs, to be read registration table, reads browser Cookie information reads system configuration, reads application program chat data, one kind into network address transmission data or operation Corresponding returned data.
Step S5, it is used to carry out the API of data exchange described in described routine call to be analyzed between kernel state and User space In the process, if corresponding input parameter is monitored data for the User space, the User space is monitored after data input The kernel data of mapping is monitored data labeled as kernel state;
User mode codes by call between kernel state and User space for carry out the API of data exchange come to kernel state pass As a kind of example, the method identification API Calls compared address can be used in delivery data.In Windows systems, api interface base It is realized in the export function of operating system nucleus executable program, kernel executable file and the drive of operating system is loaded into system During dynamic file, system automatically analyzes the derived table of the dynamic base, what the api interface identification according to corresponding to export function to be monitored Function.When function is called, its input parameter is analyzed, if input parameter is monitored data for User space, this is inputted The corresponding kernel state region of memory data of parameter are denoted as kernel state and are monitored data also labeled as monitored state.
It should be noted that in actual use, the api interface to be monitored can be configured according to specific requirements, so as to The data handling procedure of analysis malicious code comprehensively.
Step S6, the data that are monitored to the User space and kernel state be monitored data carry out data flow follow-up analysis, from And judge whether the program to be analyzed has malicious act.
Step S6 includes the following steps:
Step S61, the User space is obtained to be monitored the stain related datas of data;
Step S62, the kernel state is obtained to be monitored the stain related datas of data;
Step S63, the stain related data of data that is monitored to the User space and the kernel state are monitored number According to stain related data carry out data flow follow-up analysis.
As a kind of example, the stain for the data that are monitored using tainting analysis method to the User space is related Data and the kernel state be monitored data stain related data carry out data flow follow-up analysis.But it is understood that He is also suitable for this by data flow tracing algorithm.
If stain related data and/or the institute of data that the method further includes step S7, the User space is monitored It states the be monitored stain related data network AP I that is called of data of kernel state and is sent to remote address, then judge described to be analyzed Program has malicious act, otherwise, then continues to monitor.
It should be noted that the mode of the judgement malicious act described in step S7 is only a kind of example, in actual use It is not limited to this, other common modes for judging malicious act also can be used to determine whether there is malicious act.
The method further includes step S8, is set in the Protozoic code layer of the windows operating systems for recording quilt The data structure of monitoring data.Wherein, the data that are monitored are monitored data and phase including be monitored data, kernel state of User space Acquired data during the data-flow analysis of pass.
Based on above-mentioned method and step, when traffic propagation process is in single User space, then tracks User space and be monitored Data are simultaneously analyzed;When traffic propagation process is in single kernel state, in similary tracking, kernel state, which is monitored, data and analyzes;When The data flow Fabric Interface function of monitoring is called or instructs when going to corresponding function interface, the ginseng of analysis interface function Whether number (including incoming memory pointer, registers etc.), the parameter that determining interface function uses are monitored number comprising User space According to, if comprising, using the partial data as new starting point, the communication process of monitoring data stream in subsequent level.
The embodiment of the present invention also provides a kind of controller, and including memory and processor, the memory is stored with meter The step of calculation machine program, described program can realize the method when being performed by the processor.
The embodiment of the present invention also provides a kind of computer readable storage medium, for storing computer instruction, described instruction The step of the method being realized when being performed by a computer or processor.
The method of the invention can monitor User space, kernel state and be carried out by the API between family state and kernel state Astride hierarchy data communication process, thus can analyze while there are user mode codes and the rogue program of kernel state code, it can The completely processing procedure of monitoring data in a program has higher accuracy and better analysis ability.
The above described is only a preferred embodiment of the present invention, not make limitation in any form to the present invention, though So the present invention is disclosed above with preferred embodiment, however is not limited to the present invention, any technology people for being familiar with this profession Member, without departing from the scope of the present invention, when the technology contents using the disclosure above make a little change or modification For the equivalent embodiment of equivalent variations, as long as being the content without departing from technical solution of the present invention, technical spirit according to the present invention To any simple modification, equivalent change and modification that above example is made, in the range of still falling within technical solution of the present invention.

Claims (10)

1. a kind of astride hierarchy data flow method for tracing based on windows platforms, it is characterised in that:It is described to include the following steps:
It obtains and the API information for carrying out data exchange is used between windows operating system nucleus state and User space;
Program to be analyzed is run, performs the instruction of the program to be analyzed;
The process in the windows operating systems is traversed, obtains the process consistent with the program process title to be analyzed, mark It is denoted as monitoring process;
Generated data markers are monitored data for User space when will perform the monitoring process;
It is used between kernel state and User space described in the routine call to be analyzed during the API for carrying out data exchange, if right The input parameter answered is monitored data for the User space, then be monitored the User space the interior check figure mapped after data input It is monitored data according to labeled as kernel state;
The data that are monitored to the User space and the kernel state data that are monitored carry out data flow follow-up analysis, so as to judge described treat Whether analysis program has malicious act.
2. the astride hierarchy data flow method for tracing according to claim 1 based on windows platforms, it is characterised in that:
It is described obtain between windows operating system nucleus state and User space for carry out the API information of data exchange include with Lower step:
The virtual machine image of windows operating systems is installed;
Kernel executable program and driver are obtained according to the virtual machine image of the windows operating systems;
It is obtained according to the kernel executable program and driver and is used to carry out data exchange between User space and kernel state API information.
3. the astride hierarchy data flow method for tracing according to claim 1 based on windows platforms, it is characterised in that:
Include between the kernel state and User space for carrying out the API information of data exchange:The kernel state and User space it Between for carry out data exchange API call address, input parameter, output parameter and return value.
4. the astride hierarchy data flow method for tracing according to claim 2 based on windows platforms, it is characterised in that:
The operation program to be analyzed, the instruction for performing the program to be analyzed include the following steps:
Start the virtual machine image of the windows operating systems using hardware simulator;
Program to be analyzed is run in the windows operating systems;
CPU performs the instruction of the program to be analyzed.
5. the astride hierarchy data flow method for tracing according to claim 1 based on windows platforms, it is characterised in that:
Process in the windows operating systems include performing the instruction generation of the program to be analyzed process record into The instruction of journey and other programs in addition to the program to be analyzed in the execution windows operating systems is generated Process record the process.
6. the astride hierarchy data flow method for tracing according to claim 1 based on windows platforms, it is characterised in that:
It is described to be monitored data to the User space and the kernel state data that are monitored carry out data flow follow-up analysis and include following step Suddenly:
The User space is obtained to be monitored the stain related datas of data;
The kernel state is obtained to be monitored the stain related datas of data;
The stain related data of data that is monitored to the User space and the kernel state be monitored data stain it is related Data carry out data flow follow-up analysis.
7. the astride hierarchy data flow method for tracing according to claim 6 based on windows platforms, it is characterised in that:
The stain related data for the data that are monitored using tainting analysis method to the User space and the kernel state The stain related data of monitored data carries out data flow follow-up analysis.
8. the astride hierarchy data flow method for tracing according to claim 7 based on windows platforms, it is characterised in that:
The method further includes, the stain related data of data and/or the kernel state quilt if the User space is monitored The stain related data of the monitoring data network AP I that is called is sent to remote address, then judges that the program to be analyzed has malice Behavior occurs.
9. the astride hierarchy data flow method for tracing based on windows platforms according to any one in claim 1-8, It is characterized in that:
The method further includes, and sets to record monitored data in the Protozoic code layer of the windows operating systems Data structure.
10. the astride hierarchy data flow method for tracing based on windows platforms according to any one in claim 1-8, It is characterized in that:
The User space data that are monitored include:The program to be analyzed, which performs, to be read registration table, reads browser cookie letters Breath reads system configuration, reads corresponding to application program chat data, one kind into network address transmission data or operation Returned data.
CN201810148627.XA 2018-02-13 2018-02-13 Astride hierarchy data flow method for tracing based on windows platforms Pending CN108229172A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810148627.XA CN108229172A (en) 2018-02-13 2018-02-13 Astride hierarchy data flow method for tracing based on windows platforms

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810148627.XA CN108229172A (en) 2018-02-13 2018-02-13 Astride hierarchy data flow method for tracing based on windows platforms

Publications (1)

Publication Number Publication Date
CN108229172A true CN108229172A (en) 2018-06-29

Family

ID=62661909

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810148627.XA Pending CN108229172A (en) 2018-02-13 2018-02-13 Astride hierarchy data flow method for tracing based on windows platforms

Country Status (1)

Country Link
CN (1) CN108229172A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112269536A (en) * 2020-10-16 2021-01-26 苏州浪潮智能科技有限公司 Method and device for optimizing storage software system and computer readable storage medium
CN114115746A (en) * 2021-12-02 2022-03-01 北京乐讯科技有限公司 Full link tracking device of user mode storage system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102054149A (en) * 2009-11-06 2011-05-11 中国科学院研究生院 Method for extracting malicious code behavior characteristic
CN102622536A (en) * 2011-01-26 2012-08-01 中国科学院软件研究所 Method for catching malicious codes
US20140096250A1 (en) * 2012-09-28 2014-04-03 Kaspersky Lab Zao System and method for countering detection of emulation by malware
CN104715190A (en) * 2015-02-03 2015-06-17 中国科学院计算技术研究所 Method and system for monitoring program execution path on basis of deep learning
CN106599681A (en) * 2016-12-22 2017-04-26 北京邮电大学 Malicious program characteristic extraction method and system
CN107526966A (en) * 2016-06-21 2017-12-29 中国科学院软件研究所 A kind of compound tainting method for tracing of Android platform

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102054149A (en) * 2009-11-06 2011-05-11 中国科学院研究生院 Method for extracting malicious code behavior characteristic
CN102622536A (en) * 2011-01-26 2012-08-01 中国科学院软件研究所 Method for catching malicious codes
US20140096250A1 (en) * 2012-09-28 2014-04-03 Kaspersky Lab Zao System and method for countering detection of emulation by malware
CN104715190A (en) * 2015-02-03 2015-06-17 中国科学院计算技术研究所 Method and system for monitoring program execution path on basis of deep learning
CN107526966A (en) * 2016-06-21 2017-12-29 中国科学院软件研究所 A kind of compound tainting method for tracing of Android platform
CN106599681A (en) * 2016-12-22 2017-04-26 北京邮电大学 Malicious program characteristic extraction method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
倪涛: "Windows内核漏洞检测与利用关键技术研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112269536A (en) * 2020-10-16 2021-01-26 苏州浪潮智能科技有限公司 Method and device for optimizing storage software system and computer readable storage medium
CN114115746A (en) * 2021-12-02 2022-03-01 北京乐讯科技有限公司 Full link tracking device of user mode storage system

Similar Documents

Publication Publication Date Title
CN102622536B (en) Method for catching malicious codes
US9703681B2 (en) Performance optimization tip presentation during debugging
US8683444B1 (en) System and method of debugging multi-threaded processes
US7707551B2 (en) Cross-platform software development with a software development peripheral
KR102017756B1 (en) Apparatus and method for detecting abnormal behavior
KR101519845B1 (en) Method For Anti-Debugging
US9436449B1 (en) Scenario-based code trimming and code reduction
EP2784716A1 (en) Suspicious program detection
CA3152837A1 (en) Simulator detection method and system
CN106575243A (en) Hypervisor-hosted virtual machine forensics
CN107102886A (en) The detection method and device of Android simulator
CN105335283A (en) Application testing method and device in terminal equipment
CN102722672B (en) A kind of method and device detecting running environment authenticity
US9921827B1 (en) Developing versions of applications based on application fingerprinting
CN105074671A (en) Method and system for detecting concurrency programming errors in kernel modules and device drivers
CN106096391B (en) A kind of course control method and user terminal
US10546509B2 (en) Evaluating user contribution in collaborative environments
KR20130015922A (en) Method and apparatus for input password in using game
CN109726601A (en) The recognition methods of unlawful practice and device, storage medium, computer equipment
CN110493074B (en) Method and system for testing server and client
CN107741907A (en) With reference to bottom instruction and the simulator detection method and device of system information
CN108229172A (en) Astride hierarchy data flow method for tracing based on windows platforms
Srivastava et al. CamForensics: Understanding visual privacy leaks in the wild
US10279266B2 (en) Monitoring game activity to detect a surrogate computer program
CN113209630B (en) Frame grabbing defense method and device for game application, storage medium and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180629